Closed wseltzer closed 5 years ago
Updated to include the consider-the-malicious-actor point as an example of deciding the unexpected inferences of a capability.
I didn't add the invisible/drive-by case because these questions are for when we're designing a feature that the designer thinks needs a permission.
Nice write-up! In section 3, "What capabilities are implicated by the resource, sensor or functionality that you're adding?" you might add "Put yourself in the shoes of a malicious actor to consider the range of possible mis-uses of the feature. Would the web better serve user expectations if the feature were unavailable to invisible "drive-by" use?"